Security breaches of Microsoft Windows environments — whether they are caused by internal or external attackers — often involve misuse of Active Directory (AD). Moving through the network is much easier and faster once you’ve stolen the keys to the kingdom. That’s why it’s so important to identify the signs of privileged account abuse and tampering. Unfortunately, native AD reporting tools have several key limitations that make it difficult to find those signs.

3 Key Limitations of Native Reporting Tools

Auditing — Have Group Policy Object (GPO) settings changed? Native logs have no ability to audit those settings, and they can’t trace before-and-after values of GPO settings. In addition, native logs cannot provide detailed and cleared information when a New Technology File System (NTFS) change occurs to a folder, file or share.

Permissions — Native tools offer only limited abilities for delegation of granular permissions. For example, delegating a move from organizational unit (OU) A to OU B requires the user to be given the ability to delete user objects from source OU A. Windows also does not allow for temporal group memberships on privileged groups.

Native tools also cannot delegate access to view specific parts of AD or specific object types based on business views or geography restrictions. Furthermore, they don’t support whitelisting and blacklisting processes that can help prevent even elevated groups — such as domain administrators — from performing sensitive operations.

Auto-remediation — Addressing potential issues shouldn’t be a complex, time-consuming undertaking. Yet unfortunately, AD cannot natively auto-remediate unauthorized actions. For example, when an unauthorized user tries to add an account to a privileged group, the account should be removed from the group automatically. But you would need third-party tools to block that unauthorized user.

Similarly, AD offers no native capabilities to self-clean inactive users or computers. You would need third-party tools if you wanted to automatically locate and disable accounts that have not logged on for 90 days, move them to a disabled user’s container or delete them after three days if no one claims the accounts.

To learn more about the telltale signs of privileged account abuse check out our informative white paper.